From: David Woodhouse <dwmw@xxxxxxxxxxxx>
We carefully avoid the realloc() API trap by *not* using the
'ptr = realloc(ptr, new_size)' idiom which can lead to leaks on
failure. Very commendable, even though all we're going to do is
exit() on failure so it wouldn't have mattered.
What *does* matter is that we then ask zlib to continue
decompression... just past the end of the *old* buffer that just
got freed. Oops.
Apparently nobody has *ever* tested this code by booting a uImage
with a compressed payload larger than 10MiB.
Signed-off-by: David Woodhouse <dwmw at amazon.co.uk>
---
kexec/kexec-uImage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kexec/kexec-uImage.c b/kexec/kexec-uImage.c
index 5e24629..667cd93 100644
--- a/kexec/kexec-uImage.c
+++ b/kexec/kexec-uImage.c
@@ -210,9 +210,9 @@ static int uImage_gz_load(const unsigned char *buf, off_t len,
return -1;
}
+ uncomp_buf = new_buf;
strm.next_out = uncomp_buf + mem_alloc - inc_buf;
strm.avail_out = inc_buf;
- uncomp_buf = new_buf;
} else {
printf("Error during decompression %d\n", ret);
return -1;
--
2.9.3
